Hi,
I have a problem to list/access share from Windows client to share hosted on samba domain member server. I followed the instruction from https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member step by step but I used sssd instead of winbind for the authentication method. The Linux samba server is an Ubuntu server 16.04 and I successfully added this samba server to a awindows active directory domain (Windows server 2012 R2). I login to the domain server machine as a domain admins user but II’m not able to list/access to the share when I digit in Windows Explorer \\servername I have the access denied with the request to insert the credential of a user enabled to it. Only the user mapped in /etc/samba/user.map can manage the server via the ADUC interface and list, but I’ve assigned the SeDiskOperatorPrivilege to all domain admin Group root@SRVLNXWINTRA01:/home/data# net rpc rights list privileges SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter com_spoleto\adminserver's password: SeDiskOperatorPrivilege: COM_SPOLETO\Domain Admins BUILTIN\Administrators Is there anyone can help me? Below my configuration files. ---------------------------------------------------------------------- My /etc/samba/smb.conf # Global parameters [global] workgroup = COM_SPOLETO realm = COMUNE.SPOLETO.LOCAL server string = %h server (Samba, Ubuntu) interfaces = lo ens32 bind interfaces only = Yes server role = standalone server security = ADS map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . username map = /etc/samba/user.map unix password sync = Yes kerberos method = secrets and keytab log file = /var/log/samba/log.%m max log size = 1000 client signing = if_required dns proxy = No panic action = /usr/share/samba/panic-action %d winbind refresh tickets = Yes idmap config comune.spoleto.local : range = 10000-29999 idmap config comune.spoleto.local : backend = rig idmap config * : range = 3000-7999 idmap config * : backend = tdb map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [share] comment = Progetti QGIS per Lizmap path = /home/data/share read only = No inherit acls = Yes ----------------------------------------------------------------------------- My /etc/samba/user.map !root = COM_SPOLETO\Adminserver ---------------------------------------------------------------- My /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat sss winbind group: compat sss winbind shadow: compat sss gshadow: files hosts: files dns winbind networks: files protocols: db files services: db files sss winbind ethers: db files rpc: db files netgroup: nis sss winbind sudoers: files sss winbind --------------------------------------------------------------------------------------------------------------------- My /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = COMUNE.SPOLETO.LOCAL [domain/COMUNE.SPOLETO.LOCAL] id_provider = ad access_provider = ad # Use this if users are being logged in at /. # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so override_homedir = /home/%d/%u # Uncomment if the client machine hostname doesn't match the computer object on the DC. # ad_hostname = SRVLNXINTRA01.comune.spoleto.local # Uncomment if DNS SRV resolution is not working # ad_server = SRVW3KDC01.comune.spoleto.local # Uncomment if the AD domain is named differently than the Samba domain # ad_domain = COMUNE.SPOLETO.LOCAL # Enumeration is discouraged for performance reasons. # enumerate = true ------------------------------------------------------------------------------------------- My /etc/krb5.conf [libdefaults] default_realm = COMUNE.SPOLETO.LOCAL ticket_lifetime = 24h # renew_lifetime = 7d # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true dns_lookup_realm = false dns_lookup_kdc = true [realms] COMUNE.SPOLETO.LOCAL = { kdc = SRVW3KDC01.COMUNE.SPOLETO.LOCAL master_kdc = SRVW3KDC01.COMUNE.SPOLETO.LOCAL admin_server = SRVW3KDC01.COMUNE.SPOLETO.LOCAL default_domain = COMUNE.SPOLETO.LOCAL } [domain_realm] .comune.spoleto.local = COMUNE.SPOLETO.LOCAL comune.spoleto.local = COMUNE.SPOLETO.LOCAL [login] krb4_convert = true krb4_get_tickets = false ------------------------------------------------------------------------------------------- Inviato da Posta per Windows 10 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Please see inline comments: On Mon, 8 Jan 2018 14:41:01 +0100 Andrea Rossetti via samba <[hidden email]> wrote: > Hi, > I have a problem to list/access share from Windows client to share > hosted on samba domain member server. I followed the instruction from > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > step by step but I used sssd instead of winbind for the > authentication method. Then you didn't follow the wiki page. >The Linux samba server is an Ubuntu server > 16.04 and I successfully added this samba server to a awindows active > directory domain (Windows server 2012 R2). I login to the domain > server machine as a domain admins user but II’m not able to > list/access to the share when I digit in Windows Explorer > \\servername I have the access denied with the request to insert the > credential of a user enabled to it. Only the user mapped > in /etc/samba/user.map can manage the server via the ADUC interface > and list, but I’ve assigned the SeDiskOperatorPrivilege to all domain > admin Group The only mapping in the user.map should be Administrator to root. > > root@SRVLNXWINTRA01:/home/data# net rpc rights list privileges > SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter > com_spoleto\adminserver's password: SeDiskOperatorPrivilege: > COM_SPOLETO\Domain Admins > BUILTIN\Administrators > > Is there anyone can help me? > > Below my configuration files. > ---------------------------------------------------------------------- > My /etc/samba/smb.conf > # Global parameters > [global] > workgroup = COM_SPOLETO > realm = COMUNE.SPOLETO.LOCAL > server string = %h server (Samba, Ubuntu) > interfaces = lo ens32 > bind interfaces only = Yes > server role = standalone server > security = ADS 'server role' is wrong, it is a Unix domain member > map to guest = Bad User > obey pam restrictions = Yes > pam password change = Yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . I would remove the above 4 lines, you do not need them in a Unix domain member smb.conf > username map = /etc/samba/user.map >unix password sync = Yes You definitely do not want the above line in a Unix domain member smb.conf, all your domain members should be in AD. > kerberos method = secrets and keytab > log file = /var/log/samba/log.%m > max log size = 1000 > client signing = if_required > dns proxy = No > panic action = /usr/share/samba/panic-action %d > winbind refresh tickets = Yes > idmap config comune.spoleto.local : range = 10000-29999 > idmap config comune.spoleto.local : backend = rig > idmap config * : range = 3000-7999 > idmap config * : backend = tdb As you are using sssd, you don't need the lines above, also it is 'rid' not 'rig' > ----------------------------------------------------------------------------- > My /etc/samba/user.map > !root = COM_SPOLETO\Adminserver It is Administrator not Adminserver > ---------------------------------------------------------------- > My /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: # `info libc "Name Service Switch"' for information > about this file. > > passwd: compat sss winbind > group: compat sss winbind You either use 'sss' or 'winbind', not both > shadow: compat sss You shouldn't add anything to the shadow line. > gshadow: files > > hosts: files dns winbind You do not use winbind for hosts > networks: files > > protocols: db files > services: db files sss winbind Same goes for services > ethers: db files > rpc: db files > > netgroup: nis sss winbind > sudoers: files sss winbind Same goes for netgroup and sudoers > --------------------------------------------------------------------------------------------------------------------- > My /etc/sssd/sssd.conf > [sssd] Pointless telling us what your sssd.conf is, it isn't anything to do with Samba > ------------------------------------------------------------------------------------------- > My /etc/krb5.conf > [libdefaults] > default_realm = COMUNE.SPOLETO.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > This is all you need in krb5.conf. I would make the alterations I have suggested, then choose whether to use 'sssd' or 'winbind', you cannot use both. If you decide to continue to use 'sssd' and you still have problems, you need to ask on the 'sssd-users' mailing list. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Thanks for the rapid reply!
I think the problem was in the server role options I’ve modified it in “server member” and now I’m able to list the shares under \\linuxserver from any domain user authenticated in a Windows pc AD member. But now 1. Execute computer management from a Windows domain member client as a domain admin user (run as com_spoleto\rossetti.admin that is a “domain admins” member 2. Right click on computer management -> connect to another computer -> srvlnxwintra01 (the Linux server member) 3. I expand “System Tools” -> I expand “Shared Folders” -> click on “Shares” right click on “share” -> Click Properties -> click on tab “Security”. In this tab I have the message “You musr have Read permission to view the properties of this object” even if I have granted SeDiskOperatorPrivilege to “com_spoleto\domain admins” Group. But If I execute “Computer Management” as “com_spoleto\adminserver” user (I explained below the reason I used this user) I can view/modify the ACLs. Please see MY inline comments, and at the end of this message I pasted my modified config files: Inviato da Posta per Windows 10 Da: Rowland Penny Inviato: lunedì 8 gennaio 2018 15:15 A: [hidden email] Cc: Andrea Rossetti Oggetto: Re: [Samba] cannot list/access samba share from Windows client >>The Linux samba server is an Ubuntu server >> 16.04 and I successfully added this samba server to a awindows active >> directory domain (Windows server 2012 R2). I login to the domain >> server machine as a domain admins user but II’m not able to >> list/access to the share when I digit in Windows Explorer >> \\servername I have the access denied with the request to insert the >> credential of a user enabled to it. Only the user mapped >> in /etc/samba/user.map can manage the server via the ADUC interface >> and list, but I’ve assigned the SeDiskOperatorPrivilege to all domain >> admin Group >The only mapping in the user.map should be Administrator to root. I’ve mapped the user COM_SPOLETO\adminserver because it is an enterprise admin as the COM_SPOLETO\Administrator For security reasons we have disabled the Administrator user account. In fact I used adminserver to grant SeDiskOperatoPrivilege do “com_spoleto\domain admins” group (see lines below) >> root@SRVLNXWINTRA01:/home/data# net rpc rights list privileges >> SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter >> com_spoleto\adminserver's password: SeDiskOperatorPrivilege: >> COM_SPOLETO\Domain Admins >> BUILTIN\Administrators >> ----------------------------------------------------------------------------- >> My /etc/samba/user.map >> !root = COM_SPOLETO\Adminserver >It is Administrator not Adminserver As just explained the adminserver is for us the enterprise domain admin. ---------------------------------------------- My modified /etc/samba/smb.conf # Global parameters [global] workgroup = COM_SPOLETO realm = COMUNE.SPOLETO.LOCAL server string = %h server (Samba, Ubuntu) interfaces = lo ens32 bind interfaces only = Yes server role = member server security = ADS map to guest = Bad User username map = /etc/samba/user.map kerberos method = secrets and keytab log file = /var/log/samba/log.%m max log size = 1000 client signing = if_required dns proxy = No panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [share] comment = Progetti QGIS per Lizmap path = /home/data/share read only = No ------------------------------------------------------------------------------- My modified /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat sss group: compat sss shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis sss sudoers: files sss -------------------------------------------------------------------------------- My modified /etc/krb5.conf [libdefaults] default_realm = COMUNE.SPOLETO.LOCAL dns_lookup_realm = false dns_lookup_kdc = true -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
On Mon, 8 Jan 2018 18:27:44 +0100
Andrea Rossetti <[hidden email]> wrote: > Thanks for the rapid reply! > > I think the problem was in the server role options I’ve modified it > in “server member” and now I’m able to list the shares under > \\linuxserver from any domain user authenticated in a Windows pc AD > member. But now 1. Execute computer management from a Windows domain > member client as a domain admin user (run as > com_spoleto\rossetti.admin that is a “domain admins” member 2. Right > click on computer management -> connect to another computer -> > srvlnxwintra01 (the Linux server member) 3. I expand “System Tools” > -> I expand “Shared Folders” -> click on “Shares” right click on > “share” -> Click Properties -> click on tab “Security”. In this tab I > have the message “You musr have Read permission to view the > properties of this object” even if I have granted > SeDiskOperatorPrivilege to “com_spoleto\domain admins” Group. But If > I execute “Computer Management” as “com_spoleto\adminserver” user (I > explained below the reason I used this user) I can view/modify the > ACLs. > > Please see MY inline comments, and at the end of this message I > pasted my modified config files: > > Inviato da Posta per Windows 10 > > Da: Rowland Penny > Inviato: lunedì 8 gennaio 2018 15:15 > A: [hidden email] > Cc: Andrea Rossetti > Oggetto: Re: [Samba] cannot list/access samba share from Windows > client > > > > >>The Linux samba server is an Ubuntu server > >> 16.04 and I successfully added this samba server to a awindows > >> active directory domain (Windows server 2012 R2). I login to the > >> domain server machine as a domain admins user but II’m not able to > >> list/access to the share when I digit in Windows Explorer > >> \\servername I have the access denied with the request to insert > >> the credential of a user enabled to it. Only the user mapped > >> in /etc/samba/user.map can manage the server via the ADUC > >> interface and list, but I’ve assigned the SeDiskOperatorPrivilege > >> to all domain admin Group > > >The only mapping in the user.map should be Administrator to root. > > I’ve mapped the user COM_SPOLETO\adminserver because it is an > enterprise admin as the COM_SPOLETO\Administrator For security > reasons we have disabled the Administrator user account. In fact I > used adminserver to grant SeDiskOperatoPrivilege do > “com_spoleto\domain admins” group (see lines below) > > >> root@SRVLNXWINTRA01:/home/data# net rpc rights list privileges > >> SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter > >> com_spoleto\adminserver's password: SeDiskOperatorPrivilege: > >> COM_SPOLETO\Domain Admins > >> BUILTIN\Administrators > > >> ----------------------------------------------------------------------------- > >> My /etc/samba/user.map > >> !root = COM_SPOLETO\Adminserver > > >It is Administrator not Adminserver > > As just explained the adminserver is for us the enterprise domain > admin. > > ---------------------------------------------- > My modified /etc/samba/smb.conf > # Global parameters > [global] > workgroup = COM_SPOLETO > realm = COMUNE.SPOLETO.LOCAL > server string = %h server (Samba, Ubuntu) > interfaces = lo ens32 > bind interfaces only = Yes > server role = member server > security = ADS > map to guest = Bad User > username map = /etc/samba/user.map > kerberos method = secrets and keytab > log file = /var/log/samba/log.%m > max log size = 1000 > client signing = if_required > dns proxy = No > panic action = /usr/share/samba/panic-action %d > idmap config * : backend = tdb > map acl inherit = Yes > store dos attributes = Yes > vfs objects = acl_xattr > > > [printers] > comment = All Printers > path = /var/spool/samba > create mask = 0700 > printable = Yes > browseable = No > > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > > > [share] > comment = Progetti QGIS per Lizmap > path = /home/data/share > read only = No > ------------------------------------------------------------------------------- > > My modified /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: # `info libc "Name Service Switch"' for information > about this file. > > passwd: compat sss > group: compat sss > shadow: compat > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis sss > sudoers: files sss > -------------------------------------------------------------------------------- > > My modified /etc/krb5.conf > > [libdefaults] > default_realm = COMUNE.SPOLETO.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true You are now solely using sssd for the authentication, you need to ask on the sssd-users mailing list, either that or purge sssd and set up winbind correctly. I repeat, 'sssd' has nothing to do with Samba and as such, I cannot help any further. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Inviato da Posta per Windows 10
>Da: Rowland Penny via samba >Inviato: lunedì 8 gennaio 2018 18:48 >A: [hidden email] >Oggetto: Re: [Samba] R: cannot list/access samba share from Windows client > >You are now solely using sssd for the authentication, you need to ask >on the sssd-users mailing list, either that or purge sssd and set up >winbind correctly. >I repeat, 'sssd' has nothing to do with Samba and as such, I cannot >help any further. > >Rowland Ok I try to purge sssd and configure winbind. apt-get remove --purge sssd && apt-get autoremove --purge I successfull removed and re-joined the Linux domain member root@SRVLNXWINTRA01:/home/data# net ads leave -U "com_spoleto\adminserver" Enter com_spoleto\adminserver's password: Deleted account for 'SRVLNXWINTRA01' in realm 'COMUNE.SPOLETO.LOCAL' root@SRVLNXWINTRA01:/home/data# net ads join -U "com_spoleto\adminserver" Enter com_spoleto\adminserver's password: Using short domain name -- COM_SPOLETO Joined 'SRVLNXWINTRA01' to dns domain 'comune.spoleto.local' I modified the config files (see below) And restarted the services systemctl restart smbd nmbd winbind I verified that the SeDiskOperatorPrivilege was set up correctly to “domain admins” Group root@SRVLNXWINTRA01:/home/data# net rpc rights list privileges SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter com_spoleto\adminserver's password: SeDiskOperatorPrivilege: COM_SPOLETO\Domain Admins BUILTIN\Administrators I verified the connectiviti with the domain root@SRVLNXWINTRA01:/home/data# wbinfo --ping-dc checking the NETLOGON for domain[COM_SPOLETO] dc connection to "SRVW3KDC01.comune.spoleto.local" succeeded but now when I Look up Domain Users and Groups root@SRVLNXWINTRA01:/home/data# getent passwd com_spoleto\andrea.rossetti root@SRVLNXWINTRA01:/home/data# getent group "com_spoleto\\domain admins" I have no response and so I’m unable to assign the permission attribute to the share root@SRVLNXWINTRA01:/home/data# LANG=en_EN chown root:"com_spoleto\domain admins" share chown: invalid group: 'root:com_spoleto\\domain admins' I’m very confused now! -------------------------------------------------------------------------------- now my /etc/samba/smb.conf is # Global parameters [global] workgroup = COM_SPOLETO realm = COMUNE.SPOLETO.LOCAL server string = %h server (Samba, Ubuntu) interfaces = lo ens32 bind interfaces only = Yes server role = member server security = ADS map to guest = Bad User username map = /etc/samba/user.map kerberos method = secrets and keytab log file = /var/log/samba/log.%m max log size = 1000 client signing = if_required dns proxy = No panic action = /usr/share/samba/panic-action %d winbind refresh tickets = Yes idmap config com_spoleto : range = 10000-29999 idmap config com_spoleto : backend = rid idmap config * : range = 3000-7999 idmap config * : backend = tdb map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [share] comment = Progetti QGIS per Lizmap path = /home/data/share read only = No inherit acls = Yes ---------------------------------------------------------------------------- My /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis sudoers: files ------------------------------------------------------------------------------------- My /etc/krb5.conf [libdefaults] default_realm = COMUNE.SPOLETO.LOCAL dns_lookup_realm = false dns_lookup_kdc = true -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
On Mon, 8 Jan 2018 19:57:59 +0100
Andrea Rossetti <[hidden email]> wrote: > Inviato da Posta per Windows 10 > > >Da: Rowland Penny via samba > >Inviato: lunedì 8 gennaio 2018 18:48 > >A: [hidden email] > >Oggetto: Re: [Samba] R: cannot list/access samba share from Windows > >client > > > >You are now solely using sssd for the authentication, you need to ask > >on the sssd-users mailing list, either that or purge sssd and set up > >winbind correctly. > > >I repeat, 'sssd' has nothing to do with Samba and as such, I cannot > >help any further. > > > >Rowland > > Ok I try to purge sssd and configure winbind. > > apt-get remove --purge sssd && apt-get autoremove --purge > > I successfull removed and re-joined the Linux domain member > > root@SRVLNXWINTRA01:/home/data# net ads leave -U > "com_spoleto\adminserver" Enter com_spoleto\adminserver's password: > Deleted account for 'SRVLNXWINTRA01' in realm 'COMUNE.SPOLETO.LOCAL' > root@SRVLNXWINTRA01:/home/data# net ads join -U > "com_spoleto\adminserver" Enter com_spoleto\adminserver's password: > Using short domain name -- COM_SPOLETO > Joined 'SRVLNXWINTRA01' to dns domain 'comune.spoleto.local' > > I modified the config files (see below) > And restarted the services > > systemctl restart smbd nmbd winbind > > I verified that the SeDiskOperatorPrivilege was set up correctly to > “domain admins” Group > > root@SRVLNXWINTRA01:/home/data# net rpc rights list privileges > SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter > com_spoleto\adminserver's password: SeDiskOperatorPrivilege: > COM_SPOLETO\Domain Admins > BUILTIN\Administrators > > I verified the connectiviti with the domain > > root@SRVLNXWINTRA01:/home/data# wbinfo --ping-dc > checking the NETLOGON for domain[COM_SPOLETO] dc connection to > "SRVW3KDC01.comune.spoleto.local" succeeded > > but now when I Look up Domain Users and Groups > > root@SRVLNXWINTRA01:/home/data# getent passwd > com_spoleto\andrea.rossetti root@SRVLNXWINTRA01:/home/data# getent > group "com_spoleto\\domain admins" > > I have no response and so I’m unable to assign the permission > attribute to the share > > root@SRVLNXWINTRA01:/home/data# LANG=en_EN chown > root:"com_spoleto\domain admins" share chown: invalid group: > 'root:com_spoleto\\domain admins' > > I’m very confused now! > > OK, If I run this on a Unix domain member: getent passwd samdom\rowland I get no output, but this: getent passwd samdom\\rowland gets me this: rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash I use the winbind 'ad' backend and 'Domain Admins' does not have a gidNumber attribute, but 'Domain Users' does. getent group "samdom\\domain users" gets me this: domain users:x:10000:<list of group members> Try running 'net cache flush' and then try again. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Ok.
I’ve done root@SRVLNXWINTRA01:/home/data# nano /etc/samba/smb.conf modified idmap config COM_SPOLETO : backend = rid to idmap config COM_SPOLETO : backend = ad root@SRVLNXWINTRA01:/home/data# systemctl restart smbd nmbd winbind root@SRVLNXWINTRA01:/home/data# net cache flush root@SRVLNXWINTRA01:/home/data# getent passwd com_spoleto\\andrea.rossetti root@SRVLNXWINTRA01:/home/data# getent group "com_spoleto\\domain admins" nothing is changed! More and more confused now! ☹ Inviato da Posta per Windows 10 Da: Rowland Penny via samba Inviato: lunedì 8 gennaio 2018 20:31 A: [hidden email] Oggetto: Re: [Samba] R: R: cannot list/access samba share from Windows client >OK, If I run this on a Unix domain member: > >getent passwd samdom\rowland > >I get no output, but this: > >getent passwd samdom\\rowland > >gets me this: > >rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > >I use the winbind 'ad' backend and 'Domain Admins' does not have a >gidNumber attribute, but 'Domain Users' does. > >getent group "samdom\\domain users" > >gets me this: > >domain users:x:10000:<list of group members> > >Try running 'net cache flush' and then try again. > >Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
On Mon, 8 Jan 2018 20:40:36 +0100
Andrea Rossetti <[hidden email]> wrote: > Ok. > I’ve done > root@SRVLNXWINTRA01:/home/data# nano /etc/samba/smb.conf > > modified > idmap config COM_SPOLETO : backend = rid > to > idmap config COM_SPOLETO : backend = ad Unless you now want to start adding uidNumber attributes to your users and gidNumber attributes to your groups, change it back. The 'rid' backend calculates the users & groups IDs from the AD objects RID. I do not use the 'rid' backend, I just tried to show you that it should work. Change it back then run 'net cache flush' again. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
In reply to this post by Samba - General mailing list
I’ve re-changed
root@SRVLNXWINTRA01:/home/data# nano /etc/samba/smb.conf idmap config COM_SPOLETO : backend = ad to idmap config COM_SPOLETO : backend = rid root@SRVLNXWINTRA01:/home/data# systemctl restart smbd nmbd winbind root@SRVLNXWINTRA01:/home/data# net cache flush root@SRVLNXWINTRA01:/home/data# systemctl restart smbd nmbd winbind root@SRVLNXWINTRA01:/home/data# getent group "com_spoleto\\domain admins" root@SRVLNXWINTRA01:/home/data# getent passwd com_spoleto\\andrea.rossetti Nothing changed!!! ☹ ☹ Inviato da Posta per Windows 10 Da: Andrea Rossetti Inviato: lunedì 8 gennaio 2018 20:40 A: Rowland Penny; [hidden email] Oggetto: R: [Samba] R: R: cannot list/access samba share from Windows client >Ok. >I’ve done >root@SRVLNXWINTRA01:/home/data# nano /etc/samba/smb.conf > >modified >idmap config COM_SPOLETO : backend = rid >to >idmap config COM_SPOLETO : backend = ad > >root@SRVLNXWINTRA01:/home/data# systemctl restart smbd nmbd winbind >root@SRVLNXWINTRA01:/home/data# net cache flush >root@SRVLNXWINTRA01:/home/data# getent passwd com_spoleto\\andrea.rossetti >root@SRVLNXWINTRA01:/home/data# getent group "com_spoleto\\domain admins" > >nothing is changed! > >More and more confused now! ☹ > >Inviato da Posta per Windows 10 > >Da: Rowland Penny via samba >Inviato: lunedì 8 gennaio 2018 20:31 >A: [hidden email] >Oggetto: Re: [Samba] R: R: cannot list/access samba share from Windows client > >>OK, If I run this on a Unix domain member: >> >>getent passwd samdom\rowland >> >>I get no output, but this: >> >>getent passwd samdom\\rowland >> >>gets me this: >> >>rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash >> >>I use the winbind 'ad' backend and 'Domain Admins' does not have a >>gidNumber attribute, but 'Domain Users' does. >> >>getent group "samdom\\domain users" >> >>gets me this: >> >>domain users:x:10000:<list of group members> >> >>Try running 'net cache flush' and then try again. >> >>Rowland To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
On Mon, 8 Jan 2018 20:55:22 +0100
Andrea Rossetti <[hidden email]> wrote: > I’ve re-changed > > root@SRVLNXWINTRA01:/home/data# nano /etc/samba/smb.conf > > idmap config COM_SPOLETO : backend = ad > to > idmap config COM_SPOLETO : backend = rid > > root@SRVLNXWINTRA01:/home/data# systemctl restart smbd nmbd winbind > root@SRVLNXWINTRA01:/home/data# net cache flush > root@SRVLNXWINTRA01:/home/data# systemctl restart smbd nmbd winbind > root@SRVLNXWINTRA01:/home/data# getent group "com_spoleto\\domain > admins" root@SRVLNXWINTRA01:/home/data# getent passwd > com_spoleto\\andrea.rossetti > > Nothing changed!!! ☹ ☹ > I changed the 'idmap config' block on my computer to this: idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 10000-999999 Restarted smbd, nmbd and winbind, then: root@devstation:~# net cache flush root@devstation:~# getent passwd samdom\\rowland rowland:*:11107:10513:Rowland Penny:/home/rowland:/bin/bash root@devstation:~# getent group "samdom\\domain admins" domain admins:x:10512:administrator,swanadmin,rowland As you can see, it works ;-) If it isn't working for you, you must have something misconfigured or something missing, What do you have in /etc/hostname, /etc/hosts and /etc/resolv.conf ? What packages did you install with the Samba packages ? (note: not the base OS packages, the packages installed when you installed Samba) Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
>Da: Rowland Penny via samba
>Inviato: lunedì 8 gennaio 2018 21:42 >A: [hidden email] >Oggetto: Re: [Samba] R: R: R: cannot list/access samba share from Windowsclient >I changed the 'idmap config' block on my computer to this: > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config SAMDOM : backend = rid > idmap config SAMDOM : range = 10000-999999 > >Restarted smbd, nmbd and winbind, then: > >root@devstation:~# net cache flush >root@devstation:~# getent passwd samdom\\rowland >rowland:*:11107:10513:Rowland Penny:/home/rowland:/bin/bash > >root@devstation:~# getent group "samdom\\domain admins" >domain admins:x:10512:administrator,swanadmin,rowland > >As you can see, it works ;-) I’ve done exactly as you (view /etc/samba/smb.conf below) but nothing changed! >If it isn't working for you, you must have something misconfigured or >something missing, What do you have in /etc/hostname, /etc/hosts >and /etc/resolv.conf ? root@SRVLNXWINTRA01:~# cat /etc/hostname SRVLNXWINTRA01 root@SRVLNXWINTRA01:~# cat /etc/hosts 127.0.0.1 localhost 192.168.23.244 SRVLNXWINTRA01.comune.spoleto.local SRVLNXWINTRA01 # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters root@SRVLNXWINTRA01:~# cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN search comune.spoleto.local search comune.spoleto.local nameserver 192.168.23.11 nameserver 192.168.23.12 >What packages did you install with the Samba packages ? (note: not the >base OS packages, the packages installed when you installed Samba) I used apt-get install samba root@SRVLNXWINTRA01:~# dpkg -l | grep samba ii python-samba 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 Python bindings for Samba ii samba 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.3.11+dfsg-0ubuntu0.16.04.12 all common files used by both the Samba server and client ii samba-common-bin 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 Samba core libraries ii samba-vfs-modules 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 Samba Virtual FileSystem plugins -------------------------------------------------------------- My /etc/samba/smb.conf # Global parameters [global] workgroup = COM_SPOLETO realm = COMUNE.SPOLETO.LOCAL server string = %h server (Samba, Ubuntu) interfaces = lo ens32 bind interfaces only = Yes server role = member server security = ADS map to guest = Bad User username map = /etc/samba/user.map kerberos method = secrets and keytab log file = /var/log/samba/log.%m max log size = 1000 client signing = if_required dns proxy = No panic action = /usr/share/samba/panic-action %d winbind refresh tickets = Yes idmap config com_spoleto : range = 10000-999999 idmap config com_spoleto : backend = rid idmap config * : range = 2000-9999 idmap config * : backend = tdb map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [share] comment = Progetti QGIS per Lizmap path = /home/data/share read only = No inherit acls = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
On Mon, 8 Jan 2018 22:38:15 +0100
Andrea Rossetti <[hidden email]> wrote: > >Da: Rowland Penny via samba > >Inviato: lunedì 8 gennaio 2018 21:42 > >A: [hidden email] > >Oggetto: Re: [Samba] R: R: R: cannot list/access samba share from > >Windowsclient > > >I changed the 'idmap config' block on my computer to this: > > > > idmap config *:backend = tdb > > idmap config *:range = 2000-9999 > > idmap config SAMDOM : backend = rid > > idmap config SAMDOM : range = 10000-999999 > > > >Restarted smbd, nmbd and winbind, then: > > > >root@devstation:~# net cache flush > >root@devstation:~# getent passwd samdom\\rowland > >rowland:*:11107:10513:Rowland Penny:/home/rowland:/bin/bash > > > >root@devstation:~# getent group "samdom\\domain admins" > >domain admins:x:10512:administrator,swanadmin,rowland > > > >As you can see, it works ;-) > > I’ve done exactly as you (view /etc/samba/smb.conf below) but nothing > changed! > > >If it isn't working for you, you must have something misconfigured or > >something missing, What do you have in /etc/hostname, /etc/hosts > >and /etc/resolv.conf ? > > root@SRVLNXWINTRA01:~# cat /etc/hostname > SRVLNXWINTRA01 > > root@SRVLNXWINTRA01:~# cat /etc/hosts > 127.0.0.1 localhost > 192.168.23.244 SRVLNXWINTRA01.comune.spoleto.local SRVLNXWINTRA01 > > # The following lines are desirable for IPv6 capable hosts > ::1 ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff00::0 ip6-mcastprefix > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > root@SRVLNXWINTRA01:~# cat /etc/resolv.conf > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES > WILL BE OVERWRITTEN search comune.spoleto.local > search comune.spoleto.local > nameserver 192.168.23.11 > nameserver 192.168.23.12 > > >What packages did you install with the Samba packages ? (note: not > >the base OS packages, the packages installed when you installed > >Samba) > > I used apt-get install samba > > root@SRVLNXWINTRA01:~# dpkg -l | grep samba > ii python-samba > 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 Python > bindings for Samba ii samba > 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 SMB/CIFS > file, print, and login server for Unix ii > samba-common > 2:4.3.11+dfsg-0ubuntu0.16.04.12 all common files > used by both the Samba server and client ii > samba-common-bin > 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 Samba common > files used by both the server and the client ii > samba-dsdb-modules > 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 Samba > Directory Services Database ii samba-libs:amd64 > 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 Samba core > libraries ii samba-vfs-modules > 2:4.3.11+dfsg-0ubuntu0.16.04.12 amd64 Samba Virtual > FileSystem plugins > > > -------------------------------------------------------------- > My /etc/samba/smb.conf > # Global parameters > [global] > workgroup = COM_SPOLETO > realm = COMUNE.SPOLETO.LOCAL > server string = %h server (Samba, Ubuntu) > interfaces = lo ens32 > bind interfaces only = Yes > server role = member server > security = ADS > map to guest = Bad User > username map = /etc/samba/user.map > kerberos method = secrets and keytab > log file = /var/log/samba/log.%m > max log size = 1000 > client signing = if_required > dns proxy = No > panic action = /usr/share/samba/panic-action %d > winbind refresh tickets = Yes > idmap config com_spoleto : range = 10000-999999 > idmap config com_spoleto : backend = rid > idmap config * : range = 2000-9999 > idmap config * : backend = tdb > map acl inherit = Yes > store dos attributes = Yes > vfs objects = acl_xattr > > [printers] > comment = All Printers > path = /var/spool/samba > create mask = 0700 > printable = Yes > browseable = No > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > > [share] > comment = Progetti QGIS per Lizmap > path = /home/data/share > read only = No > inherit acls = Yes I think I understand it now ;-) The debian Samba package used to install winbind as a dependency, it doesn't now, try running this (as root): apt-get install winbind libnss-winbind libpam-winbind The last two packages are the 'glue' between winbind and nsswitch Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Inviato da Posta per Windows 10
Da: Rowland Penny via samba Inviato: lunedì 8 gennaio 2018 22:52 A: [hidden email] Oggetto: Re: [Samba] R: R: R: R: cannot list/access samba share fromWindowsclient >I think I understand it now ;-) > >The debian Samba package used to install winbind as a dependency, it >doesn't now, try running this (as root): > >apt-get install winbind libnss-winbind libpam-winbind > >The last two packages are the 'glue' between winbind and nsswitch Ok now I can Look up Domain Users and Groups root@SRVLNXWINTRA01:/home/data# getent passwd com_spoleto\andrea.rossetti COM_SPOLETO\andrea.rossetti:*:11212:10513:Andrea Rossetti:/home/COM_SPOLETO/andrea.rossetti:/bin/false root@SRVLNXWINTRA01:/home/data# getent group "com_spoleto\\domain admins" COM_SPOLETO\domain admins:x:10512: I can set permission tu shared folder root@SRVLNXWINTRA01:/home/data# chown root:"com_spoleto\domain admins" share root@SRVLNXWINTRA01:/home/data# chmod 2770 share/ root@SRVLNXWINTRA01:/home/data# ls -la totale 20 drwxrws--- 2 root COM_SPOLETO\domain admins 4096 gen 8 19:39 share But I have the same problem that I have before when I had sssd instead of winbind 1. Execute computer management from a Windows domain member client as a domain admin user (run as com_spoleto\rossetti.admin that is a “domain admins” member 2. Right click on computer management -> connect to another computer -> srvlnxwintra01 (the Linux server member) 3. I expand “System Tools” -> I expand “Shared Folders” -> click on “Shares” right click on “share” -> Click Properties -> click on tab “Security”. In this tab I have the message “You musr have Read permission to view the properties of this object” even if I have granted SeDiskOperatorPrivilege to “com_spoleto\domain admins” Group. But If I execute “Computer Management” as “com_spoleto\adminserver” user (I explained below the reason I used this user) I can view/modify the ACLs. 4. Even if I change the permission, using adminserver, adding domainadmins full control this folder subfolder and files and adding domain users read and execute this folder subfolder and files, neither a simple user nor a domain admin users can list the shares in \\servermember Please help me thanks! I’ve more and more and more confused. ☹ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
>Da: Rowland Penny via samba
>Inviato: lunedì 8 gennaio 2018 22:52 >A: [hidden email] >Oggetto: Re: [Samba] R: R: R: R: cannot list/access samba share fromWindowsclient > >>I think I understand it now ;-) >> >>The debian Samba package used to install winbind as a dependency, it >>doesn't now, try running this (as root): >> >>apt-get install winbind libnss-winbind libpam-winbind >> >>The last two packages are the 'glue' between winbind and nsswitch > >Ok now I can Look up Domain Users and Groups > >root@SRVLNXWINTRA01:/home/data# getent passwd com_spoleto\andrea.rossetti >COM_SPOLETO\andrea.rossetti:*:11212:10513:Andrea Rossetti:/home/COM_SPOLETO/andrea.rossetti:/bin/false >root@SRVLNXWINTRA01:/home/data# getent group "com_spoleto\\domain admins" >COM_SPOLETO\domain admins:x:10512: > >I can set permission tu shared folder > >root@SRVLNXWINTRA01:/home/data# chown root:"com_spoleto\domain admins" share >root@SRVLNXWINTRA01:/home/data# chmod 2770 share/ >root@SRVLNXWINTRA01:/home/data# ls -la >totale 20 >drwxrws--- 2 root COM_SPOLETO\domain admins 4096 gen 8 19:39 share > >But I have the same problem that I have before when I had sssd instead of winbind >1. Execute computer management from a Windows domain member client as a domain admin user (run as >com_spoleto\rossetti.admin that is a “domain admins” member >2. Right click on computer management -> connect to another computer -> srvlnxwintra01 (the Linux server >member) >3. I expand “System Tools” -> I expand “Shared Folders” -> click on “Shares” right click on “share” -> Click >Properties -> click on tab “Security”. In this tab I have the message “You must have Read permission to view the properties of this object” even if I have granted SeDiskOperatorPrivilege to “com_spoleto\domain admins” Group. But If I execute “Computer Management” as “com_spoleto\adminserver” user (I explained below the >reason I used this user) I can view/modify the ACLs. >4. Even if I change the permission, using adminserver, adding domainadmins full control this folder subfolder and files and adding domain users read and execute this folder subfolder and files, neither a simple user nor a domain admin users can list the shares in \\servermember >Please help me thanks! >I’ve more and more and more confused. ☹ I tried again, this morning, only point 4 and now I can do things that last night did not make me do without change any configuration. That night brings advice? 😊 😊 😊 Seriously… now both the “domain users” and “domain admins” can list share on \\linuxservermember the “domain admins” full control and the “domain users” read only. Do the ACLs configurations take time to be transposed by samba when done from a vindows client via “computer management” snap-in?? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
On Tue, 9 Jan 2018 09:58:44 +0100
Andrea Rossetti <[hidden email]> wrote: > >Da: Rowland Penny via samba > >Inviato: lunedì 8 gennaio 2018 22:52 > >A: [hidden email] > >Oggetto: Re: [Samba] R: R: R: R: cannot list/access samba share > >fromWindowsclient > > > >>I think I understand it now ;-) > >> > >>The debian Samba package used to install winbind as a dependency, it > >>doesn't now, try running this (as root): > >> > >>apt-get install winbind libnss-winbind libpam-winbind > >> > >>The last two packages are the 'glue' between winbind and nsswitch > > > >Ok now I can Look up Domain Users and Groups > > > >root@SRVLNXWINTRA01:/home/data# getent passwd > >com_spoleto\andrea.rossetti > >COM_SPOLETO\andrea.rossetti:*:11212:10513:Andrea > >Rossetti:/home/COM_SPOLETO/andrea.rossetti:/bin/false > >root@SRVLNXWINTRA01:/home/data# getent group "com_spoleto\\domain > >admins" COM_SPOLETO\domain admins:x:10512: > > > >I can set permission tu shared folder > > > >root@SRVLNXWINTRA01:/home/data# chown root:"com_spoleto\domain > >admins" share root@SRVLNXWINTRA01:/home/data# chmod 2770 share/ > >root@SRVLNXWINTRA01:/home/data# ls -la > >totale 20 > >drwxrws--- 2 root COM_SPOLETO\domain admins 4096 gen 8 19:39 > >share > > > >But I have the same problem that I have before when I had sssd > >instead of winbind 1. Execute computer management from a Windows > >domain member client as a domain admin user (run as > >>com_spoleto\rossetti.admin that is a “domain admins” member 2. > >>Right click on computer management -> connect to another computer > >>-> srvlnxwintra01 (the Linux server >member) 3. I expand “System > >>Tools” -> I expand “Shared Folders” -> click on “Shares” right > >>click on “share” -> Click >Properties -> click on tab “Security”. > >>In this tab I have the message “You must have Read permission to > >>view the properties of this object” even if I have granted > >>SeDiskOperatorPrivilege to “com_spoleto\domain admins” Group. But > >>If I execute “Computer Management” as “com_spoleto\adminserver” > >>user (I explained below the >reason I used this user) I can > >>view/modify the ACLs. > >4. Even if I change the permission, using adminserver, adding > >domainadmins full control this folder subfolder and files and adding > >domain users read and execute this folder subfolder and files, > >neither a simple user nor a domain admin users can list the shares > >in \\servermember Please help me thanks! I’ve more and more and more > >confused. ☹ > > I tried again, this morning, only point 4 and now I can do things > that last night did not make me do without change any configuration. > That night brings advice? 😊 😊 😊 Seriously… now both the “domain > users” and “domain admins” can list share on \\linuxservermember the > “domain admins” full control and the “domain users” read only. Do the > ACLs configurations take time to be transposed by samba when done > from a vindows client via “computer management” snap-in?? We have a wiki page for this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |
Free forum by Nabble | Edit this page |